Darktrace Model Breach
| Id | a3c7b8ed-56a9-47b7-98e5-2555c16e17c9 |
| Rulename | Darktrace Model Breach |
| Description | This rule creates Microsoft Sentinel Alerts based on Darktrace Model Breaches, fetched every 5 minutes. |
| Severity | Medium |
| Required data connectors | DarktraceRESTConnector |
| Kind | NRT |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Darktrace/Analytic Rules/CreateAlertFromModelBreach.yaml |
| Version | 1.1.0 |
| Arm template | a3c7b8ed-56a9-47b7-98e5-2555c16e17c9.json |
darktrace_model_alerts_CL
| where dtProduct_s =="Policy Breach"
| project-rename EventSeverity=score_d, EventStartTime=breachTime_s, NetworkRuleName=modelName_s, NetworkRuleNumber=pid_d, ThreatId=threatID_d, ThreatCategory=dtProduct_s, SrcIpAddr=SourceIP, SrcHostname=hostname_s, SrcMacAddr=sourceMac_s, SrcPortNumber=sourcePort_s, DstIpAddr=destIP_s, DstPortNumber=destPort_s, DstHostname=destHost_s, DstMacAddr=destMac_s, DtCompliance=compliance_b, DtClientSensor=cSensor_b, DtDescription=description_s, DtAntigena=antigena_b, DtDeviceID=deviceId_d, DtSubnetID=sid_d, DtTags=tags_s, DtMitreTechniques=mitreTechniques_s, DtMessage=Message, DtUUID=uuid_g, DtBreachURL=breachUrl_s, DtSrcTypeLabel=typeLabel_s, DtTriggeredComponents=triggeredComponents_s, DtDetails=details_s, DtLongitude=longitude_d, DtLatitude=latitude_d, DtCategory=Category
| extend EventCount=1, EventType="NetworkSession", EventSchema="NetworkSession", EventSchemaVersion="0.2.2", EventResult="Success", DvcAction = "Allow", EventVendor = "Darktrace", EventProduct = "Darktrace DETECT", EventEndTime=EventStartTime, ThreatName=NetworkRuleName, ThreatRiskLevel=EventSeverity
| extend DtSentinelCategory = case(DtCategory == "Suspicious", "Medium",
DtCategory == "Critical", "High",
"Informational")
customDetails:
ThreatId: ThreatId
DstPortNumber: DstPortNumber
DstMacAddr: DstMacAddr
SrcPortNumber: SrcPortNumber
DtSentinelCategory: DtSentinelCategory
SrcMacAddr: SrcMacAddr
EventStartTime: EventStartTime
EventSeverity: EventSeverity
NetworkRuleNumber: NetworkRuleNumber
DtCompliance: DtCompliance
NetworkRuleName: NetworkRuleName
DtDescription: DtDescription
DtDeviceID: DtDeviceID
DtCategory: DtCategory
name: Darktrace Model Breach
id: a3c7b8ed-56a9-47b7-98e5-2555c16e17c9
triggerThreshold: 0
severity: Medium
tactics:
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Darktrace/Analytic Rules/CreateAlertFromModelBreach.yaml
entityMappings:
- entityType: Host
fieldMappings:
- columnName: SrcHostname
identifier: HostName
- entityType: Host
fieldMappings:
- columnName: DstHostname
identifier: HostName
- entityType: IP
fieldMappings:
- columnName: SrcIpAddr
identifier: Address
- entityType: IP
fieldMappings:
- columnName: DstIpAddr
identifier: Address
queryPeriod: 5m
queryFrequency: 5m
version: 1.1.0
triggerOperator: gt
description: |
'This rule creates Microsoft Sentinel Alerts based on Darktrace Model Breaches, fetched every 5 minutes.'
query: |
darktrace_model_alerts_CL
| where dtProduct_s =="Policy Breach"
| project-rename EventSeverity=score_d, EventStartTime=breachTime_s, NetworkRuleName=modelName_s, NetworkRuleNumber=pid_d, ThreatId=threatID_d, ThreatCategory=dtProduct_s, SrcIpAddr=SourceIP, SrcHostname=hostname_s, SrcMacAddr=sourceMac_s, SrcPortNumber=sourcePort_s, DstIpAddr=destIP_s, DstPortNumber=destPort_s, DstHostname=destHost_s, DstMacAddr=destMac_s, DtCompliance=compliance_b, DtClientSensor=cSensor_b, DtDescription=description_s, DtAntigena=antigena_b, DtDeviceID=deviceId_d, DtSubnetID=sid_d, DtTags=tags_s, DtMitreTechniques=mitreTechniques_s, DtMessage=Message, DtUUID=uuid_g, DtBreachURL=breachUrl_s, DtSrcTypeLabel=typeLabel_s, DtTriggeredComponents=triggeredComponents_s, DtDetails=details_s, DtLongitude=longitude_d, DtLatitude=latitude_d, DtCategory=Category
| extend EventCount=1, EventType="NetworkSession", EventSchema="NetworkSession", EventSchemaVersion="0.2.2", EventResult="Success", DvcAction = "Allow", EventVendor = "Darktrace", EventProduct = "Darktrace DETECT", EventEndTime=EventStartTime, ThreatName=NetworkRuleName, ThreatRiskLevel=EventSeverity
| extend DtSentinelCategory = case(DtCategory == "Suspicious", "Medium",
DtCategory == "Critical", "High",
"Informational")
relevantTechniques:
requiredDataConnectors:
- dataTypes:
- darktrace_model_alerts_CL
connectorId: DarktraceRESTConnector
eventGroupingSettings:
aggregationKind: AlertPerResult
alertDetailsOverride:
alertDescriptionFormat: '{{DtMessage}}'
alertSeverityColumnName:
alertDynamicProperties:
- value: DtBreachURL
alertProperty: AlertLink
- value: EventVendor
alertProperty: ProviderName
- value: EventProduct
alertProperty: ProductName
- value: ThreatCategory
alertProperty: ProductComponentName
- value: DtSentinelCategory
alertProperty: Severity
alertTacticsColumnName:
alertDisplayNameFormat: 'Darktrace: {{ThreatRiskLevel}} - {{NetworkRuleName}}'
kind: NRT
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2023-02-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a3c7b8ed-56a9-47b7-98e5-2555c16e17c9')]",
"kind": "NRT",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a3c7b8ed-56a9-47b7-98e5-2555c16e17c9')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "{{DtMessage}}",
"alertDisplayNameFormat": "Darktrace: {{ThreatRiskLevel}} - {{NetworkRuleName}}",
"alertDynamicProperties": [
{
"alertProperty": "AlertLink",
"value": "DtBreachURL"
},
{
"alertProperty": "ProviderName",
"value": "EventVendor"
},
{
"alertProperty": "ProductName",
"value": "EventProduct"
},
{
"alertProperty": "ProductComponentName",
"value": "ThreatCategory"
},
{
"alertProperty": "Severity",
"value": "DtSentinelCategory"
}
],
"alertSeverityColumnName": null,
"alertTacticsColumnName": null
},
"alertRuleTemplateName": "a3c7b8ed-56a9-47b7-98e5-2555c16e17c9",
"customDetails": {
"DstMacAddr": "DstMacAddr",
"DstPortNumber": "DstPortNumber",
"DtCategory": "DtCategory",
"DtCompliance": "DtCompliance",
"DtDescription": "DtDescription",
"DtDeviceID": "DtDeviceID",
"DtSentinelCategory": "DtSentinelCategory",
"EventSeverity": "EventSeverity",
"EventStartTime": "EventStartTime",
"NetworkRuleName": "NetworkRuleName",
"NetworkRuleNumber": "NetworkRuleNumber",
"SrcMacAddr": "SrcMacAddr",
"SrcPortNumber": "SrcPortNumber",
"ThreatId": "ThreatId"
},
"description": "'This rule creates Microsoft Sentinel Alerts based on Darktrace Model Breaches, fetched every 5 minutes.'\n",
"displayName": "Darktrace Model Breach",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "SrcHostname",
"identifier": "HostName"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "DstHostname",
"identifier": "HostName"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SrcIpAddr",
"identifier": "Address"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "DstIpAddr",
"identifier": "Address"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Darktrace/Analytic Rules/CreateAlertFromModelBreach.yaml",
"query": "darktrace_model_alerts_CL \n| where dtProduct_s ==\"Policy Breach\"\n| project-rename EventSeverity=score_d, EventStartTime=breachTime_s, NetworkRuleName=modelName_s, NetworkRuleNumber=pid_d, ThreatId=threatID_d, ThreatCategory=dtProduct_s, SrcIpAddr=SourceIP, SrcHostname=hostname_s, SrcMacAddr=sourceMac_s, SrcPortNumber=sourcePort_s, DstIpAddr=destIP_s, DstPortNumber=destPort_s, DstHostname=destHost_s, DstMacAddr=destMac_s, DtCompliance=compliance_b, DtClientSensor=cSensor_b, DtDescription=description_s, DtAntigena=antigena_b, DtDeviceID=deviceId_d, DtSubnetID=sid_d, DtTags=tags_s, DtMitreTechniques=mitreTechniques_s, DtMessage=Message, DtUUID=uuid_g, DtBreachURL=breachUrl_s, DtSrcTypeLabel=typeLabel_s, DtTriggeredComponents=triggeredComponents_s, DtDetails=details_s, DtLongitude=longitude_d, DtLatitude=latitude_d, DtCategory=Category\n| extend EventCount=1, EventType=\"NetworkSession\", EventSchema=\"NetworkSession\", EventSchemaVersion=\"0.2.2\", EventResult=\"Success\", DvcAction = \"Allow\", EventVendor = \"Darktrace\", EventProduct = \"Darktrace DETECT\", EventEndTime=EventStartTime, ThreatName=NetworkRuleName, ThreatRiskLevel=EventSeverity\n| extend DtSentinelCategory = case(DtCategory == \"Suspicious\", \"Medium\", \n DtCategory == \"Critical\", \"High\",\n \"Informational\") \n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "Medium",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": null,
"techniques": null,
"templateVersion": "1.1.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}